Executive Summary
| Summary | |
|---|---|
| Title | Vulnerabilities in SMB Client Could Allow Remote Code Execution (980232) |
| Informations | |||
|---|---|---|---|
| Name | MS10-020 | First vendor Publication | 2010-04-13 |
| Vendor | Microsoft | Last vendor Modification | 2010-05-26 |
| Severity (Vendor) | Critical | Revision | 1.1 |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C) | |||
|---|---|---|---|
| Cvss Base Score | 10 | Attack Range | Network |
| Cvss Impact Score | 10 | Attack Complexity | Low |
| Cvss Expoit Score | 10 | Authentication | None Required |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| Revision Note: V1.1 (May 26, 2010): Added a link to Microsoft Knowledge Base Article 980232 under Known Issues in the Executive Summary.Summary: This security update resolves one publicly disclosed and several privately reported vulnerabilities in Microsoft Windows. The vulnerabilities could allow remote code execution if an attacker sent a specially crafted SMB response to a client-initiated SMB request. To exploit these vulnerabilities, an attacker must convince the user to initiate an SMB connection to a specially crafted SMB server. |
Original Source
| Url : http://www.microsoft.com/technet/security/bulletin/MS10-020.mspx |
CWE : Common Weakness Enumeration
| % | Id | Name |
|---|---|---|
| 80 % | CWE-399 | Resource Management Errors |
| 20 % | CWE-20 | Improper Input Validation |
OVAL Definitions
| Definition Id: oval:org.mitre.oval:def:6859 | |||
| Oval ID: | oval:org.mitre.oval:def:6859 | ||
| Title: | SMB Client Message Size Vulnerability | ||
| Description: | The SMB client in Microsoft Windows Server 2008 R2 and Windows 7 does not properly handle (1) SMBv1 and (2) SMBv2 response packets, which allows remote SMB servers and man-in-the-middle attackers to execute arbitrary code via a crafted packet that causes the client to read the entirety of the response, and then improperly interact with the Winsock Kernel (WSK), aka "SMB Client Message Size Vulnerability." | ||
| Family: | windows | Class: | vulnerability |
| Reference(s): | CVE-2010-0477 | Version: | 5 |
| Platform(s): | Microsoft Windows 7 Microsoft Windows Server 2008 Microsoft Windows Server 2008 R2 | Product(s): | |
| Definition Synopsis: | |||
| |||
| Definition Id: oval:org.mitre.oval:def:6918 | |||
| Oval ID: | oval:org.mitre.oval:def:6918 | ||
| Title: | SMB Client Response Parsing Vulnerability | ||
| Description: | The SMB client in Microsoft Windows Server 2003 SP2, Vista Gold, SP1, and SP2, and Windows Server 2008 Gold and SP2 allows remote SMB servers and man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and reboot) via a crafted SMB transaction response that uses (1) SMBv1 or (2) SMBv2, aka "SMB Client Response Parsing Vulnerability." | ||
| Family: | windows | Class: | vulnerability |
| Reference(s): | CVE-2010-0476 | Version: | 8 |
| Platform(s): | Microsoft Windows Server 2003 Microsoft Windows Vista Microsoft Windows 7 Microsoft Windows Server 2008 Microsoft Windows Server 2008 R2 | Product(s): | |
| Definition Synopsis: | |||
| |||
| Definition Id: oval:org.mitre.oval:def:7129 | |||
| Oval ID: | oval:org.mitre.oval:def:7129 | ||
| Title: | SMB Client Memory Allocation Vulnerability | ||
| Description: | The SMB client in Microsoft Windows 2000 SP4, Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista Gold, SP1, and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 does not properly allocate memory for SMB responses, which allows remote SMB servers and man-in-the-middle attackers to execute arbitrary code via a crafted (1) SMBv1 or (2) SMBv2 response, aka "SMB Client Memory Allocation Vulnerability." | ||
| Family: | windows | Class: | vulnerability |
| Reference(s): | CVE-2010-0269 | Version: | 8 |
| Platform(s): | Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Windows Vista Microsoft Windows 7 Microsoft Windows Server 2008 Microsoft Windows Server 2008 R2 | Product(s): | |
| Definition Synopsis: | |||
| |||
| Definition Id: oval:org.mitre.oval:def:7164 | |||
| Oval ID: | oval:org.mitre.oval:def:7164 | ||
| Title: | SMB Client Transaction Vulnerability | ||
| Description: | The SMB client in Microsoft Windows Server 2008 R2 and Windows 7 does not properly validate fields in SMB transaction responses, which allows remote SMB servers and man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and reboot) via a crafted (1) SMBv1 or (2) SMBv2 response, aka "SMB Client Transaction Vulnerability." | ||
| Family: | windows | Class: | vulnerability |
| Reference(s): | CVE-2010-0270 | Version: | 5 |
| Platform(s): | Microsoft Windows 7 Microsoft Windows Server 2008 Microsoft Windows Server 2008 R2 | Product(s): | |
| Definition Synopsis: | |||
| |||
| Definition Id: oval:org.mitre.oval:def:7186 | |||
| Oval ID: | oval:org.mitre.oval:def:7186 | ||
| Title: | SMB Client Incomplete Response Vulnerability | ||
| Description: | The SMB client in the kernel in Microsoft Windows Server 2008 R2 and Windows 7 allows remote SMB servers and man-in-the-middle attackers to cause a denial of service (infinite loop and system hang) via a (1) SMBv1 or (2) SMBv2 response packet that contains (a) an incorrect length value in a NetBIOS header or (b) an additional length field at the end of this response packet, aka "SMB Client Incomplete Response Vulnerability." | ||
| Family: | windows | Class: | vulnerability |
| Reference(s): | CVE-2009-3676 | Version: | 5 |
| Platform(s): | Microsoft Windows 7 Microsoft Windows Server 2008 Microsoft Windows Server 2008 R2 | Product(s): | |
| Definition Synopsis: | |||
| |||
CPE : Common Platform Enumeration
ExploitDB Exploits
| id | Description |
|---|---|
| 2011-06-14 | MS HyperV Persistent DoS Vulnerability |
| 2010-04-17 | Windows 7/2008R2 SMB Client Trans2 Stack Overflow 10-020 PoC |
OpenVAS Exploits
| Date | Description |
|---|---|
| 2010-04-14 | Name : Microsoft SMB Client Remote Code Execution Vulnerabilities (980232) File : nvt/secpod_ms10-020.nasl |
Open Source Vulnerability Database (OSVDB)
| Id | Description |
|---|---|
| 64928 | Microsoft Windows SMB Client Transaction Response Handling Memory Corruption ... The SMB client in Microsoft Windows allows remote SMB servers and man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and reboot) via a crafted SMB transaction response that uses SMB response |
| 64927 | Microsoft Windows SMB Client Transaction SMB_COM_TRANSACTION2 Response Handli... The SMB client in Microsoft Windows does not properly validate fields in SMB transaction responses, which allows remote SMB servers and man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and reboot) via a crafted SMB response |
| 64926 | Microsoft Windows SMB Client Unspecified Response Handling Memory Corruption ... The SMB client in Microsoft Windows does not properly handle SMB response packets, which allows remote SMB servers and man-in-the-middle attackers to execute arbitrary code via a crafted packet that causes the client to read the entirety of the response, and then improperly interact with the Winsock Kernel (WSK) |
| 64925 | Microsoft Windows SMB Client Unspecified Response Handling Memory Corruption ... The SMB client in Microsoft Windows does not properly allocate memory for SMB responses, which allows remote SMB servers and man-in-the-middle attackers to execute arbitrary code via a crafted SMB response |
| 59957 | Microsoft Windows SMB Response Handling Remote DoS |
Snort® IPS/IDS
| Date | Description |
|---|---|
| 2020-01-07 | Microsoft Windows and Server malformed header denial of service attempt RuleID : 52369 - Revision : 1 - Type : OS-WINDOWS |
| 2014-03-27 | Microsoft Windows SMB2 client NetBufferList NULL entry remote code execution ... RuleID : 29943 - Revision : 3 - Type : OS-WINDOWS |
| 2014-01-10 | Microsoft Windows SMB2 client NetBufferList NULL entry remote code execution ... RuleID : 23237 - Revision : 8 - Type : OS-WINDOWS |
| 2014-01-10 | Microsoft Windows SMB Negotiate Protocol response DoS attempt RuleID : 18195 - Revision : 7 - Type : OS-WINDOWS |
| 2014-01-10 | Microsoft Windows SMB2 client NetBufferList NULL entry remote code execution ... RuleID : 16540 - Revision : 18 - Type : OS-WINDOWS |
| 2014-01-10 | Microsoft Windows SMBv1 BytesNeeded ring0 buffer overflow attempt RuleID : 16539 - Revision : 8 - Type : OS-WINDOWS |
| 2014-01-10 | SMB client TRANS response ring0 remote code execution attempt RuleID : 16532 - Revision : 6 - Type : NETBIOS |
| 2014-01-10 | SMB client TRANS response ring0 remote code execution attempt RuleID : 16531 - Revision : 11 - Type : NETBIOS |
| 2014-01-10 | Microsoft Windows SMB Negotiate Protocol response DoS attempt - empty SMB 2 RuleID : 16454 - Revision : 8 - Type : OS-WINDOWS |
| 2014-01-10 | SMB Negotiate Protocol response DoS attempt - empty SMB 1 RuleID : 16453 - Revision : 4 - Type : SPECIFIC-THREATS |
| 2014-01-10 | Microsoft Windows SMB Negotiate Protocol response DoS attempt RuleID : 16287 - Revision : 8 - Type : OS-WINDOWS |
Nessus® Vulnerability Scanner
| Date | Description |
|---|---|
| 2010-04-13 | Name : Arbitrary code can be executed on the remote host through the installed SMB c... File : smb_nt_ms10-020.nasl - Type : ACT_GATHER_INFO |
Alert History
| Date | Informations |
|---|---|
| 2014-03-27 21:20:56 |
|
| 2014-02-17 11:46:30 |
|
| 2014-01-19 21:30:27 |
|
